amadey | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
Size

1.2MB
MD5

bee9d99ecef94f358964129388df01b0
SHA1

828bcb3d3ed8de9b20d11206b81c837781695348
SHA256

8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b
SHA512

d437f45bc4606f0b1ef8146fb59b69dfe5e0d2bc234b1ba15761e533fbb2e8d5b62c6e865994ad338e69f81716b9ceab4d6a9c8c0d71f454514e607642727e55
SSDEEP

24576:VyGLW/wF2kZsHM8n7mQ4B6kAyQgNROuaNpszalvbF/Tm46Kp0Jkpd:wGa/CxqHJV4B6kAyQYHaNezqp/S46Km

Score

10^/10

amadey mystic redline 04d170 daf753 frant evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

Botnet

04d170

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral12/memory/2324-70-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2324-73-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2324-71-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1SX75WI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1SX75WI3.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral12/memory/4376-77-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	4NT820Hf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5Vj9yf8.exe

Executes dropped EXE 16 IoCs

pid	Process
2704	Ft3oe86.exe
2592	pl2vN14.exe
1132	rr3jV75.exe
4940	pX0WF76.exe
1028	1SX75WI3.exe
3476	2Px02xd.exe
1320	3es9218.exe
1704	4NT820Hf.exe
2448	explothe.exe
4724	5Vj9yf8.exe
2432	legota.exe
4464	6Fn7yT90.exe
5800	legota.exe
5840	explothe.exe
5456	legota.exe
5824	explothe.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1SX75WI3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1SX75WI3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ft3oe86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pl2vN14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rr3jV75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pX0WF76.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3476 set thread context of 2324	3476	2Px02xd.exe	101
PID 1320 set thread context of 4376	1320	3es9218.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1328	3476	WerFault.exe	99
2012	1320	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3408	schtasks.exe
3028	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1028	1SX75WI3.exe
1028	1SX75WI3.exe
1320	msedge.exe
1320	msedge.exe
1132	msedge.exe
1132	msedge.exe
3400	msedge.exe
3400	msedge.exe
1428	identity_helper.exe
1428	identity_helper.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	1SX75WI3.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2704	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	83
PID 2684 wrote to memory of 2704	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	83
PID 2684 wrote to memory of 2704	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	83
PID 2704 wrote to memory of 2592	2704	Ft3oe86.exe	85
PID 2704 wrote to memory of 2592	2704	Ft3oe86.exe	85
PID 2704 wrote to memory of 2592	2704	Ft3oe86.exe	85
PID 2592 wrote to memory of 1132	2592	pl2vN14.exe	86
PID 2592 wrote to memory of 1132	2592	pl2vN14.exe	86
PID 2592 wrote to memory of 1132	2592	pl2vN14.exe	86
PID 1132 wrote to memory of 4940	1132	rr3jV75.exe	87
PID 1132 wrote to memory of 4940	1132	rr3jV75.exe	87
PID 1132 wrote to memory of 4940	1132	rr3jV75.exe	87
PID 4940 wrote to memory of 1028	4940	pX0WF76.exe	88
PID 4940 wrote to memory of 1028	4940	pX0WF76.exe	88
PID 4940 wrote to memory of 1028	4940	pX0WF76.exe	88
PID 4940 wrote to memory of 3476	4940	pX0WF76.exe	99
PID 4940 wrote to memory of 3476	4940	pX0WF76.exe	99
PID 4940 wrote to memory of 3476	4940	pX0WF76.exe	99
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 3476 wrote to memory of 2324	3476	2Px02xd.exe	101
PID 1132 wrote to memory of 1320	1132	rr3jV75.exe	105
PID 1132 wrote to memory of 1320	1132	rr3jV75.exe	105
PID 1132 wrote to memory of 1320	1132	rr3jV75.exe	105
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 1320 wrote to memory of 4376	1320	3es9218.exe	107
PID 2592 wrote to memory of 1704	2592	pl2vN14.exe	110
PID 2592 wrote to memory of 1704	2592	pl2vN14.exe	110
PID 2592 wrote to memory of 1704	2592	pl2vN14.exe	110
PID 1704 wrote to memory of 2448	1704	4NT820Hf.exe	111
PID 1704 wrote to memory of 2448	1704	4NT820Hf.exe	111
PID 1704 wrote to memory of 2448	1704	4NT820Hf.exe	111
PID 2704 wrote to memory of 4724	2704	Ft3oe86.exe	112
PID 2704 wrote to memory of 4724	2704	Ft3oe86.exe	112
PID 2704 wrote to memory of 4724	2704	Ft3oe86.exe	112
PID 2448 wrote to memory of 3408	2448	explothe.exe	113
PID 2448 wrote to memory of 3408	2448	explothe.exe	113
PID 2448 wrote to memory of 3408	2448	explothe.exe	113
PID 2448 wrote to memory of 1480	2448	explothe.exe	115
PID 2448 wrote to memory of 1480	2448	explothe.exe	115
PID 2448 wrote to memory of 1480	2448	explothe.exe	115
PID 4724 wrote to memory of 2432	4724	5Vj9yf8.exe	116
PID 4724 wrote to memory of 2432	4724	5Vj9yf8.exe	116
PID 4724 wrote to memory of 2432	4724	5Vj9yf8.exe	116
PID 2684 wrote to memory of 4464	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	118
PID 2684 wrote to memory of 4464	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	118
PID 2684 wrote to memory of 4464	2684	8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe	118
PID 2432 wrote to memory of 3028	2432	legota.exe	120
PID 2432 wrote to memory of 3028	2432	legota.exe	120
PID 2432 wrote to memory of 3028	2432	legota.exe	120
PID 1480 wrote to memory of 3792	1480	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe
"C:\Users\Admin\AppData\Local\Temp\8fe46c7fa8f9aa4bf64dbc0fa9a1035875d7c94d139418284754473cc93dbe3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 596
        7⤵
        Program crash
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 152
        6⤵
        Program crash
        
        PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3256
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:548
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:1088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\66F7.tmp\66F8.tmp\66F9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe"
    3⤵
    PID:792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:1828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x108,0x170,0x7ff8f50046f8,0x7ff8f5004708,0x7ff8f5004718
        5⤵
        
        PID:1524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,15286244359695086761,1773367458988911019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
        5⤵
        
        PID:4716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,15286244359695086761,1773367458988911019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8f50046f8,0x7ff8f5004708,0x7ff8f5004718
        5⤵
        
        PID:4076
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        5⤵
        
        PID:3000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
        5⤵
        
        PID:1380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:4308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:1368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
        5⤵
        
        PID:364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
        5⤵
        
        PID:4660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
        5⤵
        
        PID:1608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        5⤵
        
        PID:1132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5964376718033507210,6729135869855788538,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3476 -ip 3476
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1320 -ip 1320
1⤵
PID:4728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5800

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5840

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5456

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
013a44f1facf43394f176eba09627de8

SHA1
d42ca94f6b29f5afcee7887b5b99c3384da0c6db

SHA256
9aa155ec0b691bb4457866530c5084390e0873b7bc6e5d163a4cb4eb4da1d092

SHA512
05b75fd02bb9abdb4237b4d8cb7683a4ab6dbc880a79ccba69d542f0503b59c0e4bc795f5cba7fcf0939ef70dd2af1369d796a2a406936103530ad05f98d2702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fe710d742087d3da15549ea765a7ad77

SHA1
2922da683df20b5ad61a0ae7245e53402f28b327

SHA256
beb65cda4ade627aa41af4b824c58c83a46bcf36bc291bbe74524ad46b2c6beb

SHA512
f8e23cfde6c151ff2cc27b86cece6df886e2e6037c9a68a2424095e329075ddbc1414eaf5c20524b2fb77ce46204b99a6c21012df1ab94a657cd2e1d343bcd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c36f39e967b7515978624ada690de7f2

SHA1
efbef0cb4d71d0e240d2938f0cb78ee009efbddd

SHA256
9cdf2b41dc50837b46274836c3a5e0ee4d40d6386448c3fd8b54c2a2b48ec981

SHA512
52b81d12b3f20ec7f64ec80768529d9ad1f879f4c45c033dede93d76e842b6ab4eebef4ea84c0c457bbd4928128214a0f9985a37f7a36aa063cfc14412eac448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6a7fa65781950e6ebe2a1907bc9dea2b

SHA1
8a60353f845b72f2a1fbf5f8b3720368f51a1c6b

SHA256
a37dc0587358581a956802fc366999ac517a0a1d2dcf39c7cff3ac234e5513f4

SHA512
b9b35ccbdcf0d174c2ecc6e83cd17baa6846dd80292b5031f3942d3847d132d04736d8d52fce53e0620d01c4fe83b1f9993bf3cacd169fa39a3d790aa15e5085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ed8cd013d098f541f1ddcf876fd14d4

SHA1
7a0681e7ba93ec2fb1d2bbb7813b8b842f0d6f78

SHA256
68b79f4ab62427fa73c3b393d0b48900e2d64f045c25e34e0abb7ba195e5a2ee

SHA512
8610bdecb26a0d3ad356fb8d06034346d9eda875f7ab20297ab17cbf46b1f9eccbfc25598525c6a2060988d3a5cba15681337fb8a336bcfdc95ee26e6f6ae078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
de7a8f01c1a0563cd32b676de3c35c93

SHA1
e2b209945b034301eebfa8cd5d94e8999dc0f537

SHA256
667321e94a66e65f5cd19fb3d267e59cb7d34331c3575a6f9c55664a7013c19e

SHA512
17aceb1f82bad736e020b2dadbf143872b0649de3e1ec485f7d46dd14ce61a0e45da2b70af5d62dad4d8cdb85327acf956c8c846d75323db3c16d22310356ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
f86f3efbe2337766adac8d6093c6d8ab

SHA1
33378d7fb50b48f48f8af2c5dde2d29a4597519b

SHA256
61aa37666b73eebc6d6f205370373032d030ba4ae63b85936d7a2d7f0c0d80da

SHA512
df3fdbccaf2374f882acf65268c51ed9e1160e26703b38b4b5517f97efab5c17c48cf153375ee8cdc8e9c47fd4ec0f13fb460de117aecf5e29d70cef3e17a57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
152f85f83cae0c8ad2926bbc5be23d69

SHA1
0727fd320dda98025158f731d93bfdeb793c46e1

SHA256
e2c603e10670824883e8f277d0681c4e453efd8e121df3287fca871d5d3bf25e

SHA512
d2fa39a7021f78241344bbccf69679c75c1b60af52b75866e2a1c914346140652ec81276328a2553e813551a35b89e3e496541e0c51d0f97b1dcbdfb293a51eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bbed.TMP

Filesize
864B

MD5
128aa703b5c00b635db55093a97ad467

SHA1
9ceec0120f26c5116f6deb1e70aa9f3372c11c80

SHA256
dbf5dc773c23836187a15bfc5f16abc1ee1da50317e0070dbe5507a3a272517e

SHA512
3c9058f2cad54edc5f18d57533b4ccda0db81f0d0dc44445b9d19a41925c7f827a1464bea5e846faadf4c3f626a93e5bdefbed2d15cf9157adc1cead035638ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d0d8aafc935a9cfad9f650dc468839db

SHA1
a1b144733cea836ea64d2074469ae88ddd12cfc6

SHA256
d903b62ec6f40eff054f394080406cb7479b526b192014c8dc882bfa058efec6

SHA512
aff59acbcbec605730003fedfa893dec3b471b143f64839c7dfdc79ef1c3058f08b0424a10a3d9bfc4029fbdd2df922bd8f947563f500051ce78159b9c16b37f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba4c54ddb1faec288189c50f2d128e3b

SHA1
352d17a949ed0799688f189523b20ed1d054476b

SHA256
6dfcfc6b414b90cf787735a35d66114b999b7c7304ea90d5b7fefe997641a647

SHA512
1f131ca5460beaf766c712f9544a10e14dc54f6c2b72cd6ba40c0a4f6424119cba39bde0459ca7170667d25d39a220bcecef91ad6dc42528959ee069970c8652

Download Submit
C:\Users\Admin\AppData\Local\Temp\66F7.tmp\66F8.tmp\66F9.bat

Filesize
90B

MD5
5a115a88ca30a9f57fdbb545490c2043

SHA1
67e90f37fc4c1ada2745052c612818588a5595f4

SHA256
52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d

SHA512
17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fn7yT90.exe

Filesize
100KB

MD5
7be6258c77371eb559eb6ab86fe39b07

SHA1
46722e003572597055d17ca0a0a264fbb50e2811

SHA256
2502fdba070ded6a7b8ea3661f8a1bcf9bf9bd74193de7be1198ab4f3e4e05e1

SHA512
9c5bc3a70b231278b507e1ef6922e4f4eeee9d778698645d8983ce3a603a7ea582fc997d4bad411c834ddd4b328e7b2622a52cf6ee878f0b7ab8ebab43e91ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ft3oe86.exe

Filesize
1.1MB

MD5
4a28734d620e9056a682eafc8737710c

SHA1
a1b4df9b836eccb5ad5d8a0cc68cc804974caf9a

SHA256
7207545041f9270d787ef09e158c2000745dd4dba1caf227d83d7724eb5cf8d3

SHA512
28c37df4fb6a156f90ef11b83c04db859d1cf1c4c2f58f9ce1a322570ae57ff40482b0fbb6264e4251f0a3ff88fb0c30535e708bbe7db14ab39aae10b3970415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Vj9yf8.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl2vN14.exe

Filesize
929KB

MD5
63d3af4d87fd6bd88bca6df080a6bc3e

SHA1
0901ab28651cc427d69d5e691b2a6e2c2c2a74de

SHA256
6240c21f824b1bb46ab1112d11c3c40c836cf8be79e36b19aadb336b3d3c4fc9

SHA512
0b8974ae1b6c9f4b4c9b9408b747e89f9ab5d08195614012168512b9e492752d153d101aad4cec402d25372983d284b7b538193bf182fe5d1814a1a78210c2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4NT820Hf.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr3jV75.exe

Filesize
746KB

MD5
dc46125496cffd68e5ae4857f373af0b

SHA1
9996ed7d0deba475f70c435886644544b6e47e1f

SHA256
8eba8cee6a721e574c8930cbf03a7a0e8d8989db43ea31106493e07ac3f9f996

SHA512
388884836cbc59e6fb1014f430e349274f9a83f6981b3df90cfe177108cda31cafbbdecf406f61ae921fcc01e4baec40a4beae17d93e8158d33240db0bd80c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3es9218.exe

Filesize
459KB

MD5
a38ce3e2dc246d8e40f95186737c588f

SHA1
87eb3f865fdd506f345d1d586f4d8c4d490f669a

SHA256
c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e

SHA512
9b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX0WF76.exe

Filesize
452KB

MD5
edc0c4302d8a7a49cc3f7b9f2e3ce9a9

SHA1
0159e3b33bae3c07f84b3e9ef132d589fd87133c

SHA256
fdc7f7a30e32be19f90e770c4a31b87e62c14a2dc553b5ba653a62b90b9860be

SHA512
d7e8dc43ee5362aaa98bc5f7480d04755299cd4997a026ed1143bd34ddac6761083b4e6dfb9812649f5c9f9df6148ae1bd40c6ca3386a664e955522e8e9770fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SX75WI3.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Px02xd.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/1028-59-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-64-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-35-0x00000000024B0000-0x00000000024CE000-memory.dmp

Filesize
120KB

Download
memory/1028-36-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/1028-37-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

Filesize
112KB

Download
memory/1028-38-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-65-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-61-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-58-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-55-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-53-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-48-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/1028-52-0x0000000004AD0000-0x0000000004AE6000-memory.dmp

Filesize
88KB

Download
memory/2324-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2324-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2324-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4376-96-0x0000000007740000-0x000000000778C000-memory.dmp

Filesize
304KB

Download
memory/4376-88-0x00000000075E0000-0x000000000761C000-memory.dmp

Filesize
240KB

Download
memory/4376-87-0x0000000007580000-0x0000000007592000-memory.dmp

Filesize
72KB

Download
memory/4376-86-0x0000000007850000-0x000000000795A000-memory.dmp

Filesize
1.0MB

Download
memory/4376-85-0x0000000008560000-0x0000000008B78000-memory.dmp

Filesize
6.1MB

Download
memory/4376-79-0x0000000004950000-0x000000000495A000-memory.dmp

Filesize
40KB

Download
memory/4376-78-0x00000000074C0000-0x0000000007552000-memory.dmp

Filesize
584KB

Download
memory/4376-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download